Solaris: Address Space Layout Randomization (ASLR)

Address Space Layout Randomization is a security defense mechanism against attacks like buffer overflow or Return Oriented Programming (ROP) attacks that exploit software vulnerabilities. An attacker gaining control of the call stack of a process at runtime to manipulate program control flow to execute instructions of choice is an ROP attack.

All major operating systems including Solaris support Address Space Layout Randomization to minimize the risk of such attacks. In general, user land processes place the starting address of key areas at a known place. ASLR randomizes the starting address of the key areas of the proces address space such as the base of the executable, stack, brk-based heap, memory mappings including the mapping of libraries.

On Solaris, ASLR is configurable at the system level (global & local zones) and at the binary and process level with the help of sxadm command line utility. It is possible to enable or disable ASLR for all processes; or selectively enable/disable ASLR for certain applications by tagging related binaries. Tagging is just a special ELF entry inside target binary's dynamic section that explicitly tells whether or not to enable the defense mechanism. Binary tagging has precedence over the system-level configuration. Out of the box, many of userland binaries are tagged on Solaris to enable ASLR; and by default, Solaris boots the global and all non-global zones with ASLR enabled only for those binaries that are explicitly marked (tagged) to support it.

ASLR is managed as a security extension by the sxadm command line utility. sxadm command configures and controls Solaris security extensions both at the system level (global zone, non-global zone) and at the process level.

The enable and disable subcommands enable and disable ASLR system-wide, and the delcust subcommand resets custom ASLR configuration to the out-of-the-box default configuration.

Please check the man page of sxadm(1M) for detailed information about all supported options.

Binary tagging takes precedence over runtime process conconfiguration if the binary was tagged to disable ASLR.

Note:

ASLR might give a hard time especially during debugging that require consistent and repeatable conditions including address space offsets. In such situations, disable ASLR tentatively for the target binary (best case) or for the entire system (worst case) until the debugging exercise completes.